|
|
Docs and Info |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Development |
|
|
|
|
|
|
|
|
|
|
FindBugs™ - Find Bugs in Java Programs
This is the web page for FindBugs, a program which uses static analysis
to look for bugs
in Java code. It is free software, distributed under the
terms of the
Lesser GNU
Public License. The name FindBugs™ and the
FindBugs logo are trademarked by
The University of Maryland.
As of July, 2008, FindBugs has been downloaded more than 700,000 times.
FindBugs requires JRE (or JDK) 1.5.0 or later to run.
However, it can analyze programs compiled for any version of Java.
The current version of FindBugs is 1.3.9, released on
20:11:47 EDT, 21 August, 2009.
We are very interested in getting feedback on how to improve
FindBugs.
Changes |
Talks |
Papers |
Sponsors |
Support
New
JavaOne talk:
Slides from my JavaOne talk,
Mistakes That Matter.
FindBugs community review: We are previewing FindBugs community review,
in which anyone can review issues in open source projects (i.e., mark
issues as "must fix" or "mostly harmless"), and those reviews
are automatically shared with other reviewers.
This is a pre-beta release, not ready for deployment. The implementation
will be undergoing significant changes before general availability.
Initially, we are posting results for:
- Google FindBugs Fixit: Google has a tradition of engineering fixits, special days where they try to get all of their engineers focused on some specific problem or technique for improving the systems at Google. A fixit might work to improve web accessibility, internal testing, removing TODO's from internal software, etc.
On May 13-14, Google held a global fixit for UMD's FindBugs tool a static analysis tool for finding coding mistakes in Java software. The focus of the fixit was to get feedback on the 4,000 highest confidence issues found by FindBugs at Google, and let Google engineers decide which issues, if any, needed fixing.
More than 700 engineers ran FindBugs from dozens of offices. More than 250 of them entered more than 8,000 reviews of the issues. A review is a classification of an issue as must-fix, should-fix, mostly-harmless, not-a-bug, and several other categories. More than 75% of the reviews classified issues as must fix, should fix or I will fix. Many of the scariest issues received more than 10 reviews each.
Engineers have already submitted changes that made more than 1,100 of the 3,800 issues go away. Engineers filed more than 1,700 bug reports, of which 600 have already been marked as fixed Work continues on addressing the issues raised by the fixit, and on supporting the integration of FindBugs into the software development process at Google.
The fixit at Google showcased new capabilities of FindBugs that provide a cloud computing / social networking backdrop. Reviews of issues are immediately persisted into a central store, where they can be seen by other developers, and FindBugs is integrated into the internal Google tools for filing and viewing bug reports and for viewing the version control history of source files. For the Fixit, FindBugs was configured in a mode where engineers could not see reviews from other engineers until they had entered their own; after the fixit, the configuration will be changed to a more open configuration where engineers can see reviews from others without having to provide their own review first. These capabilities have all been contributed to UMD's open source FindBugs tool, although a fair bit of engineering remains to prepare the capabilities for general release and make sure they can integrate into systems outside of Google. The new capabilities are expected to be ready for general release in Fall 2009.
The current version of FindBugs is s 1.3.9.
Changes since version 1.3.8
- New bug patterns; in some cases, bugs previous reported as other bug patterns are reported as instances
of these new bug patterns in order to make it easier for developers to understand the bug reports
- Providing a bug rank (1-20), and the ability to filter by bug rank. Eventually,
it will be possible to specify your own rules for ranking bugs, but the procedure for doing so hasn't been specified yet.
- Fixed about 45 bugs filed through SourceForge
- Various reclassifications and priority tweaks
- Added more bug annotations to a variety of bug reports.
This provides more context for understanding bug reports
(e.g., if the value in question was is the return value
of a method, the method is described as the source of
the value in a bug annotation). This also provide more
accurate tracking of issues across versions of the code
being analyzed, but has the downside that when comparing
results from FindBugs 1.3.8 and FindBugs 1.3.9 on the
same version of code being analyzed,
FindBugs may think that mistakenly believe that the
issue reported by 1.3.8 was fixed and a new issue was
introduced that was reported by FindBugs 1.3.9. While
annoying, it would be unusual for more than a dozen
issues per million
lines of codes to be mistracked.
- Lots of internal changes moving towards FindBugs 2.0, but these
features are undocumented, not yet officially supported, and subject to
radical changes before FindBugs 2.0 is released.
Older versions...
- Finding More Null Pointer Bugs,
But Not Too Many, by
David Hovemeyer, York College of Pennsylvania
and William Pugh, Univ. of Maryland,
7th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering,
June, 2007
- Evaluating Static Analysis
Defect Warnings On Production Software,
Nathaniel Ayewah and William Pugh, Univ. of Maryland, and
J. David Morgenthaler, John Penix and YuQian Zhou, Google, Inc.,
7th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering,
June, 2007
None, at the moment. We'd be very interested in any offers of support or
sponsorship.
YourKit is kindly supporting open source projects with its full-featured Java Profiler.
YourKit, LLC is creator of innovative and intelligent tools for profiling
Java and .NET applications. Take a look at YourKit's leading software products:
YourKit Java Profiler and
YourKit .NET Profiler.
The FindBugs project also uses
FishEye and
Clover,
which are generously provided by
Cenqua/Atlassian.
Additional financial support for the FindBugs project has been provided by
Google,
Sun Microsystems,
National Science Foundation
grants ASC9720199 and CCR-0098162,
Fortify Software,
SureLogic,
and by a 2004
IBM
Eclipse Innovation award.
Any opinions, findings and conclusions or recommendations
expressed in this material are those of the author(s) and do not
necessarily reflect the views of the National Science Foundation
(NSF).
Send comments to
|